Is WordPress HIPAA Compliant?

WordPress is a well-known content management system used for creating websites. A lot of businesses use WordPress but can healthcare organizations do the same? Is WordPress HIPAA compliant and can it be used with protected health information (PHI)?

The requirements of HIPAA compliance are quite vague for websites. However, regarding the storage or transmission of electronic protected health information (ePHI), the HIPAA Security Rule is clear. It requires the implementation of safety measures that ensure ePHI integrity, availability and confidentiality. This rule is applicable to all websites dealing with ePHI, whether built from scratch or using CMS platforms such as WordPress. Administrative, physical and technical controls need to be implemented, which include:

Access controls to stop unauthorized individuals from being able to access PHI or the admin control panel

Transmission security controls to make sure that ePHI uploaded to the site and saved on a server or third-party server is secure and protected with encryption

Physical security controls to stop unauthorized individuals from being able to access the web server

Administrators and any internal users should be trainedon HIPAA Privacy and Security Rules

The website should solely use a HIPAA-compliant hosting provider

Choosing a third-party hosting company requires a business associate agreement (BAA)

After implementing controls to ensure compliance with HIPAA Security Rule, the subsequent step is to perform a risk analysis of the website, plugins and connected systems. Any discovered risks should be managed and reduced to an acceptable level.

Concerning the need for a business associate agreement, it’s not likely that WordPress will sign one and the WordPress site does not mention it. So, does this mean healthcare companies should not use WordPress? Basically, a BAA is not necessary if the purpose of the site is just to inform patients and no uploading or collection of PHI will be done using the site. A BAA is additionally not necessary if PHI is kept in a separate area and is only accessible using a plugin. The plugin developer in this case must sign a BAA.

Imagine that a healthcare company would like to use WordPress with PHI. It can be done, but the steps are fairly complex. To make WordPress HIPAA compliant, do the following:

Perform a risk analysis prior to using the site and minimize the risks to an acceptable level

Use HIPAA-compliant web hosting and ensure access, audit, and integrity controls are implemented

Perform a security scan to find vulnerabilities and mitigate any vulnerabilities that are found

Only use plugins from trusted developers

Keep all plugins updated and the WordPress CMS

Install a security plugin such as Wordfence

Employ a SaaS provider that could interface the ePHI element into your website or create an internal interface

Improve security of administrator accounts by using two-factor authentication

Never let users register for accounts without being vetted first

Encrypt data gathered using forms and for PHi in transit

Service providers and plugin developers with access to ePHI or whose software program accesses ePHI should sign a BAA

Before making a decision to create a website using WordPress, think about building a site from scratch or using a vendor dedicated to making HIPAA compliant sites. Although there are ways of creating HIPAA compliant WordPress sites, the platform has a number of security concerns and vulnerabilities.